Slashdot Mirror
AT&T Identifies Widespread Security Hole - In Locks
__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."
so now Master is going to have to release patches and hotfixes?
"Hey steve, check out my new lock!"
"pffft, is it v.3.21.7?"
"no"
"that's like an invite for key kiddies and 1337 crackers"
For those that don't want to register, here's the full text:
Master Key Copying Revealed
By JOHN SCHWARTZ
A security researcher has revealed a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building.
The researcher, Matt Blaze of AT&T Labs-Research, found the vulnerability by applying his area of expertise -- the security flaws that allow hackers to break into computer networks -- to the real-world locks and keys that have been used for more than a century in office buildings, college campuses and some residential complexes.
Advertisement
The attack described by Mr. Blaze, which is known by some locksmiths, leaves no evidence of tampering. It can be used without resorting to removing the lock and taking it apart or other suspicious behavior that can give away ordinary lock pickers.
All that is needed, Mr. Blaze wrote, is access to a key and to the lock that it opens, as well as a small number of uncut key blanks and a tool to cut them to the proper shape. No special skills or tools are required; key-cutting machines costing hundreds of dollars apiece make the task easier, but the same results can be achieved with a simple metal file.
After testing the technique repeatedly against the hardware from major lock companies, Mr. Blaze wrote, "it required only a few minutes to carry out, even when using a file to cut the keys."
AT&T decided that the risk of abuse of the information was great, so it has taken the unusual step of posting an alert to law enforcement agencies nationwide. The alert describes the technique and the possible defenses against it, though the company warns that no simple solution exists.
The paper, which Mr. Blaze has submitted for publication in a computer security journal, has troubled security experts who have seen it. Marc Weber Tobias, a locks expert who works as a security consultant to law enforcement agencies, said he was rewriting his police guide to locks and lock-picking because of the paper. He said the technique could open doors worldwide for criminals and terrorists. "I view the problem as pretty serious," he said, adding that the technique was so simple, "an idiot could do it."
The technique is not news to locksmiths, said Lloyd Seliber, the head instructor of master-key classes for Schlage, a lock company that is part of Ingersoll-Rand. He said he even taught the technique, which he calls decoding, in his training program for locksmiths.
"This has been true for 150 years," Mr. Seliber said.
Variations on the decoding technique have also been mentioned in passing in locksmith trade journals, but usually as a way for locksmiths to replace a lost master key and not as a security risk.
When told that Mr. Seliber taught the technique to his students, Mr. Tobias said: "He may teach it, but it's new in the security industry. Security managers don't know about it."
In the paper, Mr. Blaze applies the principles of cryptanalysis, ordinarily used to break secret codes, to the analysis of mechanical lock designs. He describes a logical, deductive approach to learning the shape of a master key by building on clues provided by the key in hand -- an approach that cryptanalysts call an oracle attack. The technique narrows the number of tries that would be necessary to discover a master-key configuration to only dozens of attempts, not the thousands of blind tries that would otherwise be necessary.
The research paper might seem an odd choice of topics for a computer scientist, but Mr. Blaze noted that in his role as a security researcher for AT&T Labs, he examined issues that went to the heart of business security wherever they arose, whether in the digital world or the world of steel and brass.
Since publishing Mr. Blaze's technique could lead to an increase in thefts and other crimes, it presented an ethical quandary for him and for AT&T Labs -- the kind of quandary that must also be confronted whenever new security holes are discovered in computing.
"There's no way to warn the good guys without also alerting the bad guys," Mr. Blaze said. "If there were, then it would be much simpler -- we would just tell the good guys."
Publishing a paper about vulnerable locks, however, presented greater challenges than a paper on computer flaws.
The Internet makes getting the word out to those who manage computer networks easy, and fixing a computer vulnerability is often as simple as downloading a software patch. Getting word out to the larger, more amorphous world of security officers and locksmiths is a more daunting task, and for the most part, locks must be changed mechanically, one by one.
Advertisement
But Mr. Blaze said the issue of whether to release information about a serious vulnerability almost inevitably came down to a decision in favor of publication.
"The real problem is there's no way of knowing whether the bad guys know about an attack," he said, so publication "puts the good guys and the bad guys on equal footing."
In this case, the information appears to have made its way already to the computer underground. The AT&T alert to law enforcement officials said that a prepublication version of the paper distributed privately by Mr. Blaze for review last fall had been leaked onto the Internet, though it has not been widely circulated.
"At this point we believe that it is no longer possible to keep the vulnerability secret and that more good than harm would now be done by warning the wider community," the company wrote.
There is evidence that others have chanced upon other versions of the technique over the years. Though it does not appear in resources like "The M.I.T. Guide to Lockpicking," a popular text available on the Internet, Mr. Blaze said, "several of the people I've described this to over the past few months brightened up and said they had come on part of this to make a master key to their college dorm."
Mr. Blaze acknowledged that he was only the first to publish a detailed look at the security flaw and the technique for exploiting it.
"I don't think I'm the first person to discover this attack, but I do think I'm the first person to work out all the details and write it down," he said. "Burglars are interested in committing burglary, not in publishing results or warning people."
Mr. Tobias, the author of "Locks, Safes and Security: An International Police Reference," said that the technique was most likely to be used by an insider -- someone with ready access to a key and a lock. But it could also be used, he said, by an outsider who simply went into a building and borrowed the key to a restroom.
He said he had tested Mr. Blaze's technique the way that he tests many of the techniques described in his book: he gave instructions and materials to a 15-year-old in his South Dakota town to try out. The teenager successfully made a master key.
In the alert, AT&T warned, "Unfortunately, at this time there is no simple or completely effective countermeasure that prevents exploitation of this vulnerability, short of replacing a master-keyed system with a nonmastered one."
The letter added, "Residential facilities and safety-critical or high-value environments are strongly urged to consider whether the risks of master keying outweigh the convenience benefits in light of this new vulnerability."
Other defenses could make it harder to create master keys.
Mr. Blaze said that owners of master-key systems could move to the less popular master-ring system, which allows a master key to operate the tumblers in a way that is not related to the individual keys. But that system has problems of its own, security experts say.
Mr. Blaze suggested that creating a fake master key could also be made more difficult by using locks for which key blanks are difficult to get, though even those blanks can be bought in many hardware stores and through the Internet.
But few institutions want to spend the money for robust security, said Mr. Seliber of Schlage. His company recommends to architects and builders that they take steps like those recommended by Mr. Blaze, measures that make it more difficult to cut extra keys -- like using systems that are protected by patents because their key blanks are somewhat harder to buy, Mr. Seliber said. Even though such measures would add only 1 to 2 percent to the cost of each door, builders were often told to take a cheaper route. He said that they were told, " `We're not worried about ninjas rappelling in from the roof stuff -- take it easy.' "
That is not news to Mr. Blaze, who said it was also a familiar refrain in the world of computer security. "As any computer security person knows," he said, "in a battle between convenience and security, convenience has a way of winning."
How did you post that message then?
"You heard the man, Tubbs.. get undressed."
courtesy of Google News
I would never post a message either.
What are you implying, sir?
remote access CLI with tools is the only friend you'll ever need.
Then scroll down. Aren't I nice :) Saved you the hassle good sir...
Every programmer puts backdoors in his code so he can wreak havoc when he's laid off.
Why should the lock business be any different?
In other news, guard dog sales are up...
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Tom.
Oh arse
thanks, just waiting for it to appear :)
(waits for time to go by so he can post)
(waits for more time to go by so he can post)
remote access CLI with tools is the only friend you'll ever need.
And eye will own your barbies!#()!)(% PHEYUR!!! this is a sig line this is a sig line this is a sig line
In the cert advisory, The Microsoft Corporation are quoted "Those who upgrade to Windows XP Service Pack One should be unaffected by this exploit"
http://www.crypto.com/papers/
I see several problems with the article.
He said the technique could open doors worldwide for criminals and terrorists.
All in all, the article sounds more like fearmongering than a real concern.
Lock picking kits and expliots have been avalible for a very long time, out of the back of magazines (soldier of fortune, most notably) and there have even been text files about it. Why does it take a computer security expert to make us nerds consider "real life" attacks a possibility?
"You sir, have just crossed my happy line..."
There is an old proverb in *.ee
Locks are against wildlife. Humans will have no problems with them.
Hmmm... Seems to me this guys has come up with a technique to circumvent a technologically advanced security device. Would the DMCA apply in this situation? :)
OK, so where can I get the security patch ?
Every time I go the cobblers to have a key cut I normally end up taking it back. The fresh key is cut on a professional key cutting machine by someone who has probably cut thousands of them - I still end up taking it back because it doesn't work in the lock. I've also worked in on the bench in an engineering company and am trained to use a file - detailed filing is not like filing your nails or removing huge burrs from machined metal.
Load of bollocks I say.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
How different is this from making an ordinary copy of a key, like people all around the world do everyday? It's like I borrowed the keys to someone's house, made a copy, gave the original back, and used the copy to open the door.
Seems way too much noise for such a everyday thing.
"...a little-known vulnerability in many locks..."
Yeah, until now.
Talisman
"Study your math, kids. Key to the universe." -The Archangel Gabriel
I find it interesting seeing that security by obfuscation is a prevalent concept throughout mankinds realm. I guess it is nurtured by the ostrich-sticking-head-in-sand effect of thinking something doesn't exist if we're not aware of it.
It also makes me laugh how newspapers always skew stuff for sensationalism: now terrorists are one step closer to the US. They are pounding on the gates! WATCH OUT!!!. I think this security whole is mostly going to be used by 16 year old K-Mart workers.
Anyways, very nice article in the end, and hats off to AT&T for having 'brass hats'.
Interestingly enough, I didn't get any of the registration stuff - just the article. Perhaps they've changed their policy? Although that wouldn't explain why some people are still getting the registration message. Odd.
I'm sure this is nothing new. Professional criminals ( the smart ones, not the ones you see on Cops! ) have probably known about this for years. I mean, come on, unless a lock is custom made it came from a factory where there is a set number of templates.
Cars are the worst. I once opened a friends car ( same make, model as mine ) with my keys. I think the car manufactuers must only have 50 or so lock variations. More reason to go to retinal scans.
From reading the article it shouldn't be a problem for homeowners. It requires masterkeying and getting a copy of any key in that system.
Since I only have one key for my whole house, they would need to get ahold of that, and if that happened I'd be screwed anyway.
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
If all you have between your floor network racks is a cylinder lock in a hallway, then yes you should worry about this. Think about it. How easy would it be to take out network access to a whole floor or steal access from a hall wiring closet? Not every employee who has a key is honest. I have also seen some server rooms that had a lock such as this. Server rooms and now even wiring closets should have controlled card key access at a minimum. Maybe biometric access should be looked into more closely.
Gorkman
...who has discovered a little-known vulnerability...
Little-known? Not any more, it isn't!
...we've still got our 10 year old electronic lock system that is no longer supported
-dk
What to do now ?
1. Creat a New Locking System
2. Patent it
3. Charge 1 Cent on each lock that's created.
4. Invest your profits
Free Web based FTP
Thankfully they haven't published details on how to break into those locks on the bathroom and bedroom doors.
The builder gave me a bunch of those flat keys, so I have spares. Looks like I'll be picking up a bunch of those locks for my front and rear doors.
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
Interestingly enough, I didn't get any of the registration stuff - just the article.
Same here. No sign of the usual registration page, just the article (and a pop-up).
Any system that has a "master key" to allow access - be it a physical lock on a door, a backdoor to a program, a key-escrow system, whatever, allows this kind of attack - get the master key, game over.
I had do design an encryption system to manage software options in a piece of gear I designed. I thought about having a "back-door" to enable options on any unit, the better to test software. I quickly abandoned that idea - let the master key get out, and it's game over. Sure, it may make my life slightly more difficult as a developer, but it also means that no one, not even me, can cheat the system.
When I had to write the system up for export permission, I described it in detail - algorithm, file formats, I even had to include the source code for the relevant sections. I suppose you could get that information with a FOIA request. Knock yourself out - if you don't have the private key of the keypair, you won't be able to create the options file.
Say it with me, kids - "master keys and back doors are BAD - JUST SAY NO!"
www.eFax.com are spammers
"There's no way to warn the good guys without also alerting the bad guys," Mr. Blaze said. "If there were, then it would be much simpler -- we would just tell the good guys."
But as ever, one person's good guy is another person's bad buy.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This is hilarious.
I mean, anyone can break a window and jump right in!!
We can call that a "backdoor", and the plywood to cover them "patches".
That's the LA Times, numbnuts.
The funny thing is, the lock system was not designed to have a single master key. Instead, there was supposed to be a different master key for each building. The campus wide master key was an "emergent property" of the similarities between the various building master keys. Only students possessed this master key :-)
I still have the key, but it's not so useful any more, as they've changed many of the locks.
Doug Moen
I have written a truly remarkable program which this sig is too small to contain.
Xerox PARC have issued an advisory stating that any combination lock can be "cracked" by a malicious terrorist with a finger. Due to the digital [sigh...] nature of this crime, it is now illegal to own a finger under the terms of the DMCA and patriotic Americans are being asked to remove all their fingers in a show of solidarity. U.S. President, George W. Bush, is said to be having some difficulty removing his finger from his arse. £:-)
BTW did the original story remind anyone else of the safe-cracking chapter in "Surely you're joking, Mr. Feynman"?
Or, do I now fit in the same category with persons who posess a PhD in Nuclear Weapons?
--Mike--
So much for the Bolt Cutters, lock picks, drill & bits or a good hammer. All I need is a set of blanks, file and a bunch of time to 'decrypt' the master pattern through a dozen or so attempts.
I am guessing Occam's Razor doesn't apply here...
Light travels faster than sound. This is why some people appear to be bright. Until you hear them speak.
Thanks /., now every little 14 year old is going to run out and do this just to be a little more 1337... by releasing flaws to the public your only making things worse...
I wonder if this will make bugtraq....
this was known for a LONG LONG time. what's new?
Does anybody remember the MIT Guide to Lockpicking (PostScript file??) that was readily available on the internet in the past? We downloaded it back in '94 and friend used it to make some lock picks by filing down some nails. Let me tell you, some fun was had on campus with the practical jokes that followed ;)
I don't understand... Why do locks have/need master keys? I though you could only have one lock tied to a specific key. Are we talking about "Yale" type cylinder locks here?
Why would someone produce a lock for which a master key could be made anyway? Surely crimials would just steal or make a master key and they'd be laughing...
Is a master key an accidental side effect of the way a lock works, or are most locks intended to have a master key?
Nick...
The obvious problem that allows a lock to be an oracle is that the pins are independent of one another, so a "mixed" key that is partly master key and partly a normal key for that lock will open it. There presumably could exist a technical solution that needs only changes to the locks, and doesn't involve whacked-out Medeco[tm] patented key blanks with slanted cuts (although medeco may very well own related patents that would cover some aspects of the improved lock design). However, that solution would be mechanically somewhat difficult (there's a reason master keys are designed the way they are). Maybe there's a good business opportunity for "medium security" locks, but unless this attack becomes very widespread installations with a high theft risk may just start using electronic locks more. Not that many of those are that great except by significant degrees of obscurity -- I'm wondering how many independent parameters there actually are to this resonant-circuit proximity badge I got issued for access to a machine room...
I think that the manufacturer of the locks should sue AT&T under the DMCA for exposing weaknesses in an access control device. Furthermore, AT&T are terrorists for releasing this sensitive security information to the Net before other sites using the same locks are able to correct the vulnerability. I demand that the perpetrators that discovered the weakness with these locks be sentenced to life in prison. We can't have these hackers running free, finding security holes and disrupting national security!
Why bother.
I heard about this about 6 months ago. I was visiting the Computer Science department at the University of Pennsylvania, and a professor had just been shown a paper on this vulnerability, written by another professor. Is this coincidence? We'll see.
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
Am I the only one that wants bluetooth everywhere, including on my door locks, so that I can unlock my door either auto (when my cell phone + my key get close) or by entering a password (user preference)?
Among all the other cool data sync things I think bluetooth enables, the death of keys is the other cool thing I really want bluetooth for.
The ultimate network admin tool needs HELP!
When my house was built, I'm pretty sure the builder had a master key at some point.
Your credit card information wants to be free.
I would have expected a site like crypto.com to be able to take a couple hits before it went down.
anyone know of another place to get the pdf?
I assume its available.
Oh, and this inst really news, this has existed for years, for good reasons.
It just wasn't public knowledge... until now.
---- Booth was a patriot ----
That's probably common knowledge for most people that live in unsavory neighborhoods in large cities: Come home and semi-randomly throw 3 or 4 of the deadbolts on the apartment door at night. The next morning they're in a different configuration.
The method descibed in the article sounds like the slower of two methods to make master keys a friend stumbled across. He figured these out a side effect of hand cutting a copy of his girlfriends. She was gave him a key to make a copy but rather than going to the store he wanted to see if he could do it himself with some blanks.
Cryptographer Matt Blaze (of AT&T),previously known for cracking the backdoor of the vaunted 'clipper chip' has submitted a publication to the IEEE journal "Security and Privacy" which demonstates that given an ordinary building key (like your office key or one borrowed for the rest room) you can get 'root' access to the entire building (i.e. a master key) with no more that about 30 guesses and $2.00 at the hardware store, and typically much less than that.
The crack works on virtually all locks and was inpsired by parallels to cryptographic analysis, reducing the search from exponential to linear, and exploiting 'key" generation weaknesses. Virtually all master-key locks are vulnerable.
There is also a story on the front page of the nytimes covering police verification of the threat including giving the instructions to a 15 year old.
Some drink at the fountain of knowledge. Others just gargle.
Every lock could be open using just a paper clip !
A Schlage employee, on condition of anonymity, said that they were consulting with their legal team on the feasibility of invoking the DMCA against Matt Blaze and AT&T. "Schlage locks are frequently used as a technological measure to protect copyrighted materials. By trafficking in information which allows the compromise of these locks, Mr. Blaze and AT&T are clearly violating the Digital Millenium Copyright Act."
Stop-Prism.org: Opt Out of Surveillance
actually, he didn't "dicsover" anything at all. he merely wrote a whitepaper about a topic that locksmiths have known about for decades. Hell, even the NYT article says this.
No doubt this story will be posted again sometime next week.
Maybe Timothy should have actually *READ* the article he is quoting.
The technique is very simple. Mr Blaze has only succeeded in reinventing the wheel. I discovered this on my own almost 40 years ago in high school.
All you need is a file, some key blanks, calipers or modified micrometers, a soldering iron, some solder, and a working key to any lock in the system.
Use the calipers to determine all possible legitimate key cut depths. A typical lock will have 5 or 6 tumbler columns. Each column will usually have 10 or fewer possible key cut depths. The range of legitimate depths can be determined by examining several keys from the same system with the calipers.
Make a few copies of the working key to modify. You don't want to mess up the original. Work with one tumbler column at a time. The idea is to change the key cut depth and find another cut depth that opens the lock. I used an old Weller soldering gun and some solder to build up the key cut to it's highest value (minimum cut depth). Start filing and test each possible cut depth for another value that works. Frequently more than one can be found. This is common in sub-mastered systems. Record the working values and repeat the process for each tumbler column.
The master cuts will usually not share the same cut depth as the working key. When you've determined all of the master cut values, file yourself a master key using the new found working values.
Ok, there are a lot of replies here that seem to be saying that physical security, especially regarding locks, is not that important. You would be surprised.
Let's look at places that have master keyed systems:
So, it shouldn't be taken lightly that many master key systems are vulnerable to attack.
You can talk about your electronic lock systems all day, but most (at least in the UK) have a normal lock as part of them, with the electronic system for convenience and being able to tell who is where and when. If they don't have a normal lock in them, then they quite often have fire crash bars on the other side.
I haven't had a chance to read the paper yet, as the crypto.com site is slashdotted, as is the mirror I found. However, a lot of master key systems have vulnerabilities. For example:
Some keys have ridges down the sides. Sub master keys only differ from master keys in that they have these ridges, preventing them from being used in other parts of the building. File off the the ridges, and off you go.
Get two or more keys from a mastered building. Notice similarities and differences. It is often very easy to deduce the master key from this, because often the mastering works by pins having several splits in them.
These are extremely simple ways of finding masters. There is of course the fact that keys are often badly controlled, and unlike passwords, are not easy to change from a central location.
Security through obscurity is often a method used with locks. And it works reasonably well. I would say that lock picking is a far rarer skill than being able to use a computer well.
Some of the more recent lock systems (Assa, Schlage etc.) are very hard to copy, sometimes involving three separate mechanisms in the lock which all need to work. This is if you can obtain blanks. Some even involve small magnets. They are hard, if not impossible to pick as well.
More worrying, however, is the lack of physical strength in most doors. If you aren't afraid of leaving traces, opening most doors by force is remarkably easy. Yale locks (front door latches) often only take one kick to open. Even mortice locks are often badly installed and not that strong. Even if the lock holds up, the door, most of the time, won't hold up to a crowbar, or in desperate situations, an electric saw of any kind.
So, although I am sure that the technique presented in the paper has been around for years, it's going public big time now. We're going to have to welcome the script kiddies who practise on the real world soon.
Does anyone else other than me think that this paper could go a long way in highlighting the stupidity of the DMCA?
Here's the method in a nutshell.
1) get a normal key that opens a lock.
2)count the notches, if its a 5 pin tumbler, then buy 6 more blank keys. ($2.00)
3) cut 5 keys to be identical to the original except at one of the pin position, let it be full height. SO that you now have 5 keys each with a full height blank at a different pin postion.
3.b) reducing the complexity. it's not physically possible to have a full height position adjacent to a deeply cut position. No problem, just cut it as high a possible, the master key suffers the same limits too, and this reduces the complexity of the pattern.
4) insert the first key. does it turn? No then file off 0.010" of metal and try again. within 7 tries, usually only one or 2 it will turn. congatulation you now know the pin 1 master height.(duh: ignore the turning at the original height.)
5) insert key2, rinse, lather repeat.
the beauty of this crack twofold. first, you are discovering the master heights of each pin independently, so the combinatorics is just linear in the number of resolvable pin heights not the product of pin-positions times pin heights. Second, you are also simultaneously factoring the ordinary key out of the master key combination, thus only discovering the master key not some useless key that is part paster and part ordinary key (that would only owrk on that particular lock).
6) Exception: if you cannot find the a pin height that opens one of the tumblers (ignoring the obvious one for the original key) then the original key height is the one for the master too.
Some drink at the fountain of knowledge. Others just gargle.
Kevin Mitnick new that about 15 years ago and no one listened..
Don't Tread on OpenSource
Everybody knows that. It's the way master-keys systems works, you take of pieces until you have the most generic key, the most generic keys needs inherently to be the smallest and thus the least safe.
Not that it can't be news and research for security people, but I can't see how this can "make it easier for buglers and terrorists", anyone in the business or anyone thinking about it for a few minutes knows thats how it works and have always worked, and how it has to work if you really wants a master key system.
Talk about alarmist!
"He said the technique could open doors worldwide for criminals and terrorists."
He forgot to add peidophiles.
*Sarcasm*
Just like cryptography, these things are only good for terrorists and peidophiles.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
you're a locksmith (in most states). This is a fully legal option, metal file and blanks are not illegal anywhere.
Now if you try this at your work you'll likely be removed. But what the hell, give it a shot anyway.
For once the icon is very appropriate.
will take a much longer time to crack, if only I can figure out a way to fit it in my pocket...
Fortunately, most thieves do not need to crack the keys. It is much easier to simply bash the door in.
If this is true then wouldn't bolt cutters be considered a circumvention device also. Geuss they better invoke the DMCA and sue the hardware stores to remove bolt cutters from their inventory. Or better yet, sue the manufactures..
DMCA- The most abused legislation on the planet..
"I bow to no man" - Riddick
Longer keylength...
When I replaced the locks on my house, the lock company advertised a series of locks with a restricted keyway, which meant according to the locksmith that their company was the only one in the region where you could get key blanks, cyliners or other hardware associated with this series of locks.
I ran into this phenomenon in college; I tried to make a copy of my girlfriend's dorm room key at several hardware stores. I actually milled off and polished the head of the key where the "DO NOT COPY" and "UNIVERISTY AABBCC" info was on it so it looked like an ordinary key.
The last place I went to the guy looked at me and laughed and said, "Nice job, but its a university key -- the blanks and hardware are sold directly by to the University key shop. Even if I wanted to, I couldn't make a copy of it, I have no blanks that will work."
Anyway, the technique described here requires a bunch of blank keys, which if you can't get or are extremely hard to get makes you wonder if this technique would work in places that employ limited keyway hardware.
No need to "Free Kevin" anymore... he's got the master key!
"No, Officer, I didn't steal the key to the prison, I didn't take any hostages, all I had to do to get out was use this file here that Randall sent me in a Perl 6.0 Birthday Cake..."
In 10 - 15 years, not only will these cases NOT get thrown out, these cases will WIN, resulting in multi-billion dollar awards.
I'd like to see this paper, it would certanly make life in the dorms much easier!
autopr0n is like, down and stuff.
this is absolutely hilarious because of the fact that this so plainy illustrates the hypocrisy inherent in the DMCA.
if this guy were publishing a similar article about virtual locks in operating systems, he would be in JAIL already, awaiting trial and facing billions of dollars of charges against him.
gotta love it
A year spent in artificial intelligence is enough to make one believe in God.
You have a key which works in all locks, and each lock has to have an additional addition to its form, which must be unique to each submaster.
each individual lock mechanism matching the key has a matching subtraction, but is two phase, meaning this subtraction is optional.
This means either the master or the minor key set will operate the lock.
Of course, if every ring in the lock was 2 phase, then form one key, you would still have quite a bit of hacking to get BACK to what the oringal is.
Imagine:
23546874682763 As a master key 'pattern'
The add these values to the key, and make the negative arrangements for the lock:
10111011101101
You know have a new key which you can manufacture a new lock for. And someone would have to KNOW the 'key values' for this key to find the lock.
Physical brute force attacks are slightly more time consuming, unless you use a machine designed for the task, and install it next to the lock to automatically try them.
So 1 : stupid article for stating the obvious (more complex keys ARE more expensive)
2: Rubbish comments from people more interested in hearing their own voice than thinking
3: Simple solution really.
4: PERL sux a$$
5: l33t speak is for people with IQ's over 100. Base 2.
PS : no I cannot be fucked to spell check this drivel.
locksmiths around the world are pissed because to do their job, they are circumventing the protections put in place by the manufacturer of the lock. They are therefore violating the DMCA and can be dealt with accordingly.
yeah, but we trust them to only do it when we call them. don't worry that most of them are ex-cons that were caught breaking and entering and now are trying to find a legit job. sounds like Kevin.
Why read the article when I can just make up a snap judgement?
The so-called "little known" faults with locks have been around since the little things have been invented. There are books on how to circumvent locks.
For centuries, locksmithing has been a sort of "black art" and the inner workings of them kept under tight control. But that only goes so far, as we all know from the Crypto industry.
Locks are, in fact, absurdly easy to open if you know what you're doing. If you've got one key to a lock that is master keyed, you can easily figure out what the master key looks like. Without that initial key, it's only slightly more problematic.
And don't think safes are any safer. Except for those that are specifically designed to thwart attack, most safes are designed to protect documents from fire and environmental hazards. They are not designed to keep intruders out. For those types of safes, anybody with a heavy hammer and a metal punch can open it. You'd be surprised how many people are stupid enough to put cash and valuables in them. In high schools, the combination padlocks on school lockers can easily be opened with a screw driver.
As the old saying goes, locks are meant to prevent honest people from being tempted. The crooks don't care.
I studied locks in depth when I was in high school and put that knowledge to good use when I needed quick cash as a starving student in university.
Needless to say, I'm posting this anonymously.
How about having a double-sided lock, where the regular keys move tumblers on the top, but the master key moves tumblers on the bottom - and rigging it so either set of tumblers can release the lock?
Then the unique keys need not have any relation to the master key at all, thus returning the security level of these devices back to where most people thought it already was.
-Baron YamI've worked in hardware stores most of my life. This isn't exactly new or revolutionary. Or especially meaningful. It the time it takes to file a single key by hand - which may or may not work - most people can learn top pick locks, which you only have to do once. With a little practice, most consumer locks can be picked in a matter of seconds. A skilled lock picker can open consumer grade locks as quickly with a pick as with a key.
Create a login
this could be bad, if any idiot can make a master key for a dorm room, I might have to rethink how I store things. Perhaps a lock box in my room is in order.
Let's not forget that with a little social engineering you can get the same results. When I was in High School I obtained the master keys for both the Middle School and the High School, even had the alarm codes at one time. It's all about who you know (or sleep with).
The dingo ate my sig.
So, metal files are now illegal circumvention devices prohibited by the DMCA?
Most Scottish railway stations have bins in them, as Scotland is not seen as an IRA target (apparently, we have a common cause - liberation from England - and that means the IRA sees us as kindred spirits).
I've known about this for probably 10 years now. I thought that that was common knowledge. Anyone else already know this as well? Or was I priveledged to some privy information?
Redmond, WA
Now you can secure your house with the new .net doors, planned for the "ultimate experience in opening and closing doors". The locks will be activated by a .net passport, thus permitting the event log of all the door activity on the M$ serv^h^h^h^h^h^h on the door security event log.
All doors will come with a "Windows Door Edition", that sounds very nice but attention, some people already reported that the new doors are incompatible with the actual windows (not the OS! not the OS!, Balmer shouted 18 times).
The AT&T alert to law enforcement officials said that a prepublication version of the paper distributed privately by Mr. Blaze for review last fall had been leaked onto the Internet, though it has not been widely circulated.
Sigs? We don't need no stinking sigs!
1. Put some tension on the lock.
2. Twiddle with the tumblers to find out which one is carrying most of the load (unless the lock is both pretty new and well-manufactured, one of the tumblers is almost certain to be carrying most if not all of the tension load).
3. Twist that one tumbler until you feel the tension release a bit - you just figured out that one number in the combination as the drop in tension is caused by the pin sliding into the slot in the tumbler.
4. Repeat until you get the lock open.
With a cheap lock and some experience, you can probably do it about as fast as someone who knows the combination.
to rule them all, and in the darkness open the door.
This technique is only marginally safer (less detectable) than an attack with lockpicking tools
And then he said:
"Burglars are interested in committing burglary, not in publishing results or warning people."
How many people are really worried about this risk? Hell, the last place I was at, they installed a window in a PUBLIC hallway so they could show off the computer room.
Of course, that window was secured with imbedded chicken wire....
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
This is not an unknown technique. I did this 30 years ago in college. And I only made adaptations to the technique described in a book on locksmithing which was checked out of the college library. I just didn't have any blanks to work with so I made do with one lost key I found. The campus used a type of blank not sold to the public.
A grand master keying system is based on 5 to 8, but usually 6, tumblers, with typically 10 levels or codes for each tumbler. A simple master system will have at least 2 tumbers with double cuts (but the doubles cannot be cut too close). A more complex system with a level of submastering will have 4 tumblers double cut. A grand master system with potentially two or more levels of submastering will have all the tumblers double cut.
Presuming it is a grand master system (and very large numbers of change keys generally are made this way even if no grand master key is produced), then you can presume that each position on the key is different between your key and the grand master. And not only is it different, but you can also rule out the level which is one above or below what your key has (the tumbler piece would be prone to pivot and jam, instead of slide, if cut too close). And even two levels apart is often avoided because a tumbler piece of those length can jam, although they insert a ball if the tumbler width is the same as 2 levels in that position (or 3 in some systems).
So for a typical 6 tumbler 10 level system, you can rule out 3 levels (or 2 if your key is at the highest or lowest) at each position, and the levels 2 above and below are less likely (try them last).
From your key, you can figure out about where all the levels are. Any additional keys (and I had one, and since this is a non-destructive step, I could also look at a friends' keys) can help. Now with the one spare key I had (extras help a little), you begin the step to find the master levels.
When a key position is ground just a little bit too high, usually about 1/4 of a level interval, it can still engage the tumbler cuts, but it will be rough when doing so. The same thing happens when it's low, but that's not helpful, so make the cut a little high. Even if the other positions are wrong this can be done, but if they are right it's easier. Putting a bit of solder on the position to raise it really helps because now you can see an indentation formed due to the pressure. Attempting to turn the key in the lock will try to work in those positions just a bit off, but will leave a mark on the key, especially if the metal is soft like solder. If there is no indent, you didn't get the right level, so try another at that position.
Repeat for all positions. If you are good you can even work all positions in parallel and accomplish this in just minutes. Once you have a level for every position which is at a different height than your own key, you probably have the grand master. If your key was really a submaster, this could trip you up. But they generally try to avoid giving out submaster keys to students.
There are two other ways to do this.
You can remove the lock and pull the tumblers and measure them. Be very careful because when you tap out the slide to expose the tumblers, do so one at a time because there's always a spring on top to keep the tumblers under pressure. Of course don't lose the parts, and don't lose the order the tumbler pieces come out. Now you can simply see what levels for each position make up the grand master.
Another method is to figure out all the levels and their distances. The micrometer caliper helps here. Write down the levels for your key. The next step is to examine other keys of other students. Of course they will think you're trying to make a copy of their key, but if they're your friends and you can trust them, you can reveal your real plan. Write down the levels for their key as well. This now lets you rule out some more levels at each position which the master cannot be. With enough keys you can narrow down just what the grand master key is.
If all the keys you examine are part of the same submaster system, you'll notice that 2 or 3 or maybe 4 positions are just the same on all keys. The grand master will be different there, but if you just cut your new master key at those levels anyway, while you won't have a grand master, you will end up with a submaster which can be used on all the locks in area (usually a building or so) that the examined keys came from.
A combination of having a few change keys (yours and a few friends' keys) to rule out more levels in some positions, and working with the first method to find the master levels, can speed things up for you.
Like I said before, I didn't actually invent these methods; I read them from a locksmithing book. I merely adapted the solder techniques to make things a little easier. Real locksmiths can do it without solder.
now we need to go OSS in diesel cars
Greetings, Professor Falken.
Where is the pdf file mirrored? The NY Times server seems to be ./ed and won't respond.
Bob
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
Don't suffer from this vulnerability. You can't get the keys cut at most locksmiths. The tumblers key on hight and angle. But hey if you can pick three different locks from Medico there is a standing $10k prize that has never been claimed.
Just because most homes use cheap low security locks doesn't mean most businesses, or the government do.
I think Schlage should start the BLA (Business Lock Alliance) and send people notices:
ACT NOW and we won't fine you for illegal copies of your keys. When you lose your keys, you MUST buy a new lock! If you buy this shiny new lock, we will not bring the police to your house and imprison your family.
This is a LIMITED TIME offer of amnesty! ACT NOW!
T
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
The college kids have lots of free time and no homework. Some of them were even already bent over their practice locks honing their MIT lockpicking skills. I do believe it just became much less advisable to own a laptop in a university dorm!
And now for the secure solution. You're gonna like this (in German).
now we need to go OSS in diesel cars
I know you're not serious, but exactly what part of the system being circumvented is digital?
Well, a pin can be either up or down. That's probably digital enough for a shyster to work with. What's more the set of all possible heights for a pin is probably not analog either. A lock system can be perfectly modeled by any type of digital system which pretty much means the locks under discusssion are a special case of a digital system. They just happen to be implemented mechanically rather than electronically.
All it would take is a sharp lawyer to walk a receptive judge through it and there's a precendent for applying the DMCA to non-computer security issues.
yet another anti-MS karma whore. yawn
I have not read Blaze's paper yet, but this does not seem too earth-shattering. I recall seeing this discussed in alt.locksmithing when I was in college (early to mid 90s), so this is certainly not new information, at least for those interested in lock[smithing|picking].
... this is the vaunted back door or front door exploit ... side doors too.
Infuriate left and right
There's another aspect to this article besides the lock-hacking technique.
The writer speaks of the familiar dilemma of whether to publish to the "Good Guys," which notifies the "Bad Guys" simultaneously, or keep the information secret, knowing the "Bad Guys" could be sharing it already. Same old story we know from cyber security.
Then there's the "Locksmith" angle, "We've been teaching our students this for years, nothing new here." One wonders how the teachers sorted the trustworthy students from the evil students.
Good guys, bad guys, locksmiths, students, trustworthy, evil.
The enormous elephant here is whether people and their motives can be categorized this way. The truth is, these categories aren't cut and dried distinctions.
Take your government agent, for instance. When we're thinking about wiretapping mad bombers, they look more like good guys. When we're thinking about wiretapping political dissidents, they're bad guys. Same people, same behaviors, different categories.
Even discussing the distinction brings up more fuzzy categories: "bombers," "dissidents," "we."
As long as security is addressed from a good-guys vs bad-guys distinction, the argument will go in circles, because you can't really sort out the good guys from the bad guys without a clear value context. If you're diligent, you'll get mired in the values debate, and if you're not, you'll end up drawing biased conclusions.
The best stragegy in the good guys vs. bad guys debate is not to play the game.
When making powerful tools like locks, master keys, and cryptography, you have to bite the bullet that you can't really manage the motives of the tool users.
Oh, one more thing. If you do decide to make yourself a grand master key, and are tempted to carry it around on your key ring, cut the hilt off so that the key will go in too far to work. Then only you will know that you have to put it in only part way. So if you get stopped and someone thinks you might have a master key and tries the keys on your ring, their natural human thing of "go all the way" will prevent them from detecting that your key works the lock.
now we need to go OSS in diesel cars
Bruce
Bruce Perens.
So, where should the balance be?
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
The reader is cautioned that reproduction of these experiments should be carried out only with the cooperation of the owner of the lock systems on which the attack is attempted.
... is whot bwings os tugevza tsuzay.
"Moderations: 40% Insightful, 70% Informative"
I'm assuming the percents refer to the number of people who have moderated this post. But I still don't see how this makes any sense.
40 percent of people who moderated this post think it is insightful, while 70% find it informative? Since this is over 100% it implies that some person(s) moderated this both insightful and informative. I didn't think it was possible for a mod to moderate a post more than once. This is screwy..
That's not very stealthy. Still though, I agree with the general idea. Most crooks won't use this technique.
For example, there was some interesting social engineering going on near DC recently: Late at night a "women in distress" claims her car has broken down and she needs to use the phone. Chump invites her in, male partner gains access to the house immediately therafter and robs them. Why bother with blanks and files when you can just bluff your way in? And college dorms? Easy pickins when the students are drunk. Come to think of it, drunks are just such easy marks to begin with. When I was a paper boy, I wished I'd had a dollar for every time a drunk left his keys IN THE DOOR.
Why resort to clever hacks when there are so many easy marks?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
For one thing, building up solder in each position makes it a lot easier to see the indentations. But the real reason this works is that if you apply a back and forth motion as your attempt to turn the key, the indentations can be made even if the other positions are not cut properly at all. So this can be done with one key, and it doesn't even have to be a blank (but it does get modified in the process, so if you can get a blank, that's better).
now we need to go OSS in diesel cars
Just offhand:
(1) cut 6 identical keys to the original
(2) In one slot, cut as far down as possible, and drill a hole in that location, where you can put a mobile pin on a spring and a wire.
(3) drill a hole along the base, as well, and run the wire through.
(4) Now pull on the wire to find the alternate height. No filing required [prework necessary].
Just write down the numbers you get
(5) Go home and cut new key.
Also: to get around the lack of a blank:playdoh; wax; metal; plaster; small metal casting. Or digital camera; ruler; grinder; piece of small metal.
I don't take much comfort in those workarounds.
At this point, I think that digital locks with varying codes might be a tad more secure. For example, to get the day's code, the admin takes his phone number [or street address, though a random memorized number is best], adds the date to each digit and the time on the lockbox to the last 4 digits, and that's the code. Before he gets up to go in, he figures out what it will be, in his head. Of course, if he forgets entirely, he can take a blowtorch, melt the plexiglass, and let secretary out. Then call in work crews to replace the plexiglass, and stays there, meanwhile, memorizing the *new* number, and keeping an eye out for ninjas rapelling down from the roof.
Or he can write the code on his desk, the front of his pocket protector, or whatever.
Or how about this? Specialized beeper tied to lockbox, on continuous recharge. Beeper takes incoming code, checks it against security code, checks source phone number against President's code -- and authorizes computerized lockbox to open upon access key, within the next 1 minute.
Now, to go in, you pull out your cell phone, call the company president -- he pulls out his video cell phone, calls a video cell phone watching the hall; makes sure that it's you, and then calls the beeper, enters the code [encrypted, of course], and authorizes you to go in.
Of course, I'm not a cryptologist. I'll be a cryptologist could find a dozen ways to break my idea apart. After all, the more complex a system is, the more flaws it has (doesn't it?)
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
It's called a skeleton key. They've been around for a hundred year.
The trick is not giving keys to people who will miss use them.
Think of it as 'root' access for a physical lock?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Couple decades back, I left my job as a cryptanalyst and became a software engineer here in the midwest. After a few months I bought the house I was living in, a four-plex, and became a landlord. First thing I did was to rekey all the locks. While I was filing away at little bits of metal, I realized just how similar this business of keying locks was to crypto.
The locks I was rekeying were all simple, so I didn't bother to think about cryptographic attacks on master-keys.
In the crypto world, there's a word for "master keys," they're called "trap doors."
Oh, I thought it was a PHB smiling... :-)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
1) You need a key to begin with.
:)
2) If your institution is only using traditional pin and tumblers, it is very vulnerable to picking and outright impressioning already.
3) Most institutions that have anything to protect already use the appropriate safeguards that he reccomends--both universities I've attended have used Medeco locks. These are patented, but not security through obscurity--they have inclined cuts, making impressionng EXTREMELY difficult. Government labs I've been to are on card swipe.
I can't remember any place other than high schools that still use the traditional locks.
Perhaps someone out there can tell me if there institution uses them? I wouldn't mind an address as well....
Perhaps this will act as a wake up call to the lock manufacturers. Key locks are always insecure. Because people lose keys, or they can be stolen. It's much more different to steal a combination from someone's mind.
We need to use combo locks instead. (not Masterlock padlocks, I'm talking regular locks - like deadbolts - but with a combo mechanism instead). If a person accidentally tells someone the combo, the lock could be easily reset to a new combo.
Then there's no inherent risk of key duplication, etc. The "master key" in this case would be to just have the combo on file with the landlords. If the file was compromised, the lock could be set to a new combo, rather than having to install new locks in all the doors.
The method as described on other comments, is just brilliant.. But there is one problem that nobody has mentioned..
How do you get the blanks ?
You see, with master-key systems the keys have other shapes than ordinary keys (often a mirror pattern if you look at the end of the key, so ordinary keys won't fit in master locks) Keys in master-key systems are often also a little longer than ordinary keys.
And Joe sixpack just can't walk into any hardware store and ask for the blanks.. The hardware store has limited numbers (if any at all) and has to get the paper-certificate that was delivered with the key-system, before they will cut you a new copy.
And, no, just bringing the master key to them and asking for a copy doesn't work (I already tried that ;-)
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
1) interchangeable core locks (Falcon or Best types). In addition to having master pins for the master key, there will be additional pins for the alternate shear line for pulling the cylinder out. Basically, if you find another key cut that works, you don't know if you have found the master key or the cylinder removal key cut.
2) MK? GMK? GGMK? Some key systems have multiple levels of keying. Though a well-designed system won't have too many stacked master pins, you still will likely end up finding a cut that works and not knowing if it's for the Master Key, Grand Master Key, Great-Grand Master Key, etc. Depending on the "resolution" of the key system, you could end up with a sub-master that only opens (say) five doors.
3) restricted keyways. Medeco, Assa, Schlage, et. al offer numerous restricted keyways. Good like finding blanks.
4) maximum adjacent cut differential. A Schlage key, for example, can have a depth from 0-9 on any given cut, but no two cuts that differ by more than 7 can be next to each other. If your office key is cut to 99333, and the master key is 51133, then one of the keys you'd have to cut using this system is 91333. A nine and a one are over the max differential, which would either obliterate the "1" cut, or the angle between them would be too steep-- in which case, good luck pulling this key out again.
If a job's not worth doing, it's not worth doing right.
the lock system was not designed to have a single master key
The system you describe was clearly designed to include a top level master (your key). A "different master key for each building" would simply have been a sub-master: that submaster key shares a certain number of cuts with the top level master, with the remaining cuts on the submaster being identical to cuts in that position on every change key for that building. Now, if you meant that they never intended to produce that single top level master or let anyone carry one, that I wouldn't know...
Most of us who are interested in security have known this for at least 20 years. Cripes I remember kids in college doing this same thing to get a key that works with all the doors in their dorm back in 1989...
and now AT&T Labs is just discovering it?
Yikes!
Do not look at laser with remaining good eye.
"Of course, that window was secured with imbedded chicken wire...."
A surprisingly essential part of mainframe security. I still have nightmares of that one time...
the chickens...
they're EVERYWHERE!
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
But don't let ANYONE tell you windows are any better! :P
-Jason
C'mon guys, locksmiths have known this since pin and tumbler locks caught on. I spent a year as a locksmith apprentice and saw this done many times and it takes f*ing FOREVER, scratches up the pins in the lock and is very, very, obvious.
Next, researchers will tell the public that almost any car can be *gasp* hot-wired!
Hook-up a dynamo to the door handle - when there's no power, pump door handle to generate power for electronic lock. Or make it a separate handle/crank.
I don't think you need very much energy to open a lock if you design things properly.
They have wind-up cellphones and radios. Why not something similar for electronic door locks?
no youre wrong. the beauty of this scheme is that you dont have to figure out the combinations of the splits. Read it again. The only place you get in trouble with combinatorics is if there are three splits instead of just two. three would be unusual.
Normal pedestrians cannot get blanks for some key types. The blanks are kept locked away.
In particular: Medico. Their keyways (the pattern of slots on the key's side that admit it to the cylinder) in their high-security models are in a number of (copyrighted) combinations, each sold only to one locksmithing company which is under contract to only resell cut keys, keep records (with ID and passwords) of the buyers, and only sell COPIES to the legitimate owner(s) of the particular lock. The privileged smiths go along with this, too, because Medico tries to get them to violate the contract and will transfer it (along with the lucrative business) to some more picky locksmith if they do.
So unconnected people who want to try such attacks against Medico locks need to make their own blanks. But that's not hard with a model-maker's midget milling machine, of which several brands are available.
(But Medico is also less vulnerable to attacks of the sort described. The lock's pins have a wedge-shaped tip, the cut in the key is at an angle across the axis of the key, and the pin must be rotated by the proper angle as well as lifted to release.)
But most of those "do not duplicate" keys are just ordinary keys from common manufacturers, which have been stamped. The stamp relates to laws prohibiting the copying of such a key and penalizing vendors who get caught doing so.
Of course if someone sticks a label saying something like "garage" or "front door" over the stamp, most hardware store clerks won't notice the stamp and will blithely make as many copies as desired.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
A large flat headed screwdriver will defeat pretty much any lock in my building, and in most other offices too, without causing any damage to the door or the lock itself (no, I'm not telling the kiddies how - you should be able to figure it out for yourself. Why should I need to mess with trying to forge a master key?
Anyone trying to store anything valuable behind a door that uses a regular lock in this day and age is a fool.
This is totally obvious. Anyone who knows how a master key system works can do this and probably already has. I did it myself in college; it took a copy of my dorm key and a chainsaw sharpening file, both picked up from the hardware store for about $2, and about 90 minutes of fooling around, and I had a master key to the dorm.
The dorm management did discover it eventually. I didn't use it for anything but a little urban exploration, but I think I let a few too many people back into their rooms after their roommates locked them out and the RA wasn't around, and it became common knowledge that I had the key.
They asked how I found out how to make master keys, but didn't seem to be too convinced when I just said "Well, it's obvious, isn't it? Just think for a minute and anyone could figure it out." Probably the wrong thing to say to someone who was probably a humanities major.
My knowledge came exclusively from the Junior Worldbook Encyclopedia entry on how locks work, plus about 2 minutes of thinking about it.
Janitors with hundreds of keys... hmm... the people paid almost nothing already have the master key. So what?
my roommate in college lost the key to unlock the doors on his car. We took it to the local keyshop
and they were able to make a working key without the original key in about 5 minutes.
All he did was put the proper blank in holding it with a pair of lockjaw pliers, wiggled it a bit to turn it, then used a hand file to trim the key down.
A couple more fine tuning filing and it worked just fine. charge: ten bucks.
opened my eyes a bit about how "secure" locks really are.
I didn't think about using it other than on a car till I saw this article.
I just wanted to note here: digit means finger. You hold the key in your what? Paw?
I know this, because for Christmas 10 years ago, I went so far as to pull this on a foreign language student. "No, really. I can make a five digit calculator out of paper, with scissors..."
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Some (college kids) were even already bent over their practice locks honing their MIT lockpicking skills.
It's not just MIT. MOST technical colleges have a few people making master keys in every class. It's a tech puzzle. (On colleges with steam tunnels success also admits the practitioner to the tunnels, which are quite interesting places.)
There was a presentation on this vulnerability at a small computer conference last fall. It was one of the most heavily-attended sessions (nearly the whole conference membership). During it the audience was polled on how many of them had made master keys in their college years. Nearly all raised their hands.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I found out a few years back that you can actually make a copy of a key if you have a decent quality Xerox of that key. Make copy, tape to cardboard, cut out, put it in a regular key cutting machine, and away you go.
Don't blame me, I voted for Kodos
that's never lived in an apartment building at least.
No apartment building I've ever lived in, has had "do not duplicate" keys. I've always been able to go to OSH, and get copis of the door key, the apartment key, and the mailbox key as well.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
I mean please. Locksmiths have known this for um, decades. Why do you think hotels have switched to electronic keys?
I think the post you replied to referred to the famous MIT Guide To Lockpicking, not picking locks on MIT. It's quite an interesting read if you want to learn something about locks.
Btw., what are steam tunnels?
Follow the money. I hadn't thought of this at all, of course you are right.
There are two types of people; those who divide people into two types of people, and those who don't.
But, consider all the "variables" there are to a typical key:
- number of pins (tumblers)
- heights of the pins
- shape of the "end" of the key (keyway)
items 1 & 2 are really the same (just padding the list to make it look impressive) which leaves the third item: the "shape" of the key as viewed head-on. You CAN use your current key impressed in wax/soap/silly putty to get that shape, then use that for making a mold to make your own blanks -- as they say, it ain't rocket science!BTW, this technique is referred to as 'impressioning' after the mark, or impression, left by the pin on the key.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
One nice "fix" (for new installs or re-keying) comes to mind. There's no rule that says a master key has to be cut higher for every tumbler position... so you could increase the complexity of the system in an exponential way again:
The result is that you'll still have a master keyed system but individual keys and locks will no longer give a linear search. Instead of making only (T+1) keys, now you'll have to search a space of (T^2) keys.
The logistics are much more imposing!
Look, to use this guy's system, you can make (T+1) pre-cut blanks, five to find the master heights and the sixth uncut one for making the final master.
Using the three points above though, you've made the cracker's job much more difficult. He'll have to go through the first phase with the five pre-cut keys and a file... but that's not all!
Since the lock may have false positions, he has to get access to another lock. This can be dangerous for an insider, since they could be caught trying keys on doors they're not supposed to be. Now he has to do all five tumbler hieghts with the file, again. That may give him enough information to make a sub-master key that would open both of those locks, but it if both locks have some tumblers which match both high and low positions, he won't know which to use for the real master.
Okay, I've read the full article [that's what RTFA means, isn't it?], and they say that to defeat priviledge escalation, you have to add to each lock pin a random additional pseudo-master-lock combination. However, they then note that this decreases the security of each individual lock.
What they don't say, but is easily calculated, is that you can raise the security of each individual lock by increasing the number of pins.
Specifically: if you have a single master key, then you have to go up from double-cut up to triple-cut. That means that I'll work with log-base-3 below (for triple cut).
In that case, the number P of additional pins you must add, having formerly had N pins, and having x (let us suppose 9) possible cut heights, then
P = N/[Log3(x)-1]
So if you have 9 possible heights for each pin, single master key, and 5 tumblers, then you can prevent privelege escalation with no further loss in security by going to 5+[5/(2-1)]=10 pins. Not common today, but not impossible. Currently most locks run from 5 pins to 8 pins. Add two pins to an 8 pin lock, and you get your 10 pin security, privilege-protected.
Or you can go open source.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Keying locks has been around quite some time. The diff now is that these allows a master key, indicating that each lock has the exact same set of pins, very very poor security practice.
We knew 3 of the heights, and some of the angles.
Took me 10 blanks and 4 hours but I eventually got it.
The tolerance of the angles isn't so hot; you really only need 0,-45,+45 and a bit of wiggling to cover all of them.
the point of the articel, and the algorithm given above is that iy will generate a master key! Or what in computer circles is known as privlecge amplification. You are using a low priviledge key to bootstrap a master key.
The vulnerability exists because conventional pin-tumbler keys are so easily made and altered. The method described is far more difficult if distribution of key blanks is closely controlled, the key is difficult to cut accurately, or the lock has extra keying mechanism (besides pin length). That's why any organization that takes security seriously uses professional quality locks (Medeco, for example) rather than a standard pin tumbler.
Don't fret about the lock on your house. Burglars won't bother figuring out the key any more than they bother using lock picks. It's much easier to kick the door in!
"Mr. Blaze suggested that creating a fake master key could also be made more difficult by using locks for which key blanks are difficult to get, though even those blanks can be bought in many hardware stores and through the Internet."
That'll stop the "terrorists."
And when the power goes off do you want it to fail open or fail closed?
First, I would hope that Bluetooth's low-power usage would allow the lock to continue functioning for several days on battery backup. After the battery is dead, I would expect a backup physical key system to be enabled. This key system would be disabled if the Bluetooth receiver was functioning properly, but engaged (solenoid) if backup-power is exhausted. This delay will allow me enough time to make arrangements to carry physical keys with me in the event of an extended power outage.
A simple Google search reveals the technique already! Why is everybody so excited about this? It's been known forever.
See:
here: Locksmith School
here: Decoding 101
I've routinely made blanks from sheet metal. or simply by filing the wayes off a similar key. the only requirement is the key slide into the lock, usually this just means a thinner key.
While what you say is true and you can generate a key to open a single lock, you missed the whole point of the article.
the point of the articel, and the algorithm given above is that iy will generate a master key! Or what in computer circles is known as rights amplification. You are using a low priviledge key to bootstrap a master key.
While what you say is true and you can generate a key to open a single lock, you missed the whole point of the article.
the point of the article, and the algorithm given above is that it will generate a master key! Or what in computer circles is known as privledge amplification. You are using a low priviledge key to bootstrap a master key.
lock smiths and anyone who has read a book a locksmithing book has known this for years. why the hell did it take at't labs to "discover" it?
That's a start. but the problem just moves out to the sub-masters. submasters now can be boosted to masters in exactly the same way. But you have at least decreaced the number of people carrying the keys.
It seems to me a better solution is to make sure that every pin has at least two sheer points but that master an the normal keys share some sheer points. the "extra" sheer points now become combinatorically complex decoys. As it is the rule is 'if its not part of the regualr key, it must be part of the master', so by violating this assumption we can make it difficult to solve the lock.
- the primary audience of Slashdot includes a huge majority
of college-going, dorm-living geeks, and
- it took about fifteen seconds to find a link to the actual
report detailing this master-key exploit,
we can assume that the physical security of every university and many high-schools will be compromised before the end of this week.Maybe it's time for me to go into business... I could set up a booth in the student union giving away pamphlets telling the "danger and weakness" of the dorm locks (dumbed-down exploit instructions with sketches of burglers and frightened co-eds) and make a fortune selling secondary locks!
I love press releases in the form of security alerts.
"AT&T decided that the risk of not getting any free press was great, so it has taken the unusual step of posting an alert to law enforcement agencies nationwide."
Most middle and upper class hotels have moved to electronic key entry systems. Many businesses and organizations have as well. With the heavy news coverage this is getting, now everybody, even poor folks, will want to move to systems, electronic or mechanical, that are less vulnerable. The increased demand should lead to larger economies of scales for such systems. Maybe think about buying lock stocks, if there are any.
This isn't exactly news...
I've known about the flaw in the master key system for a long long time.
Actually, in many circumstances you can get by the mechanism by continually retrying and wiggling your key until the fit hits.
Its not guranteed, but its a little better then using a file.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
"make it easier for buglers and terrorists"
That's right! Watch out, you buglers! Your renditions of Taps, Reveille, and Charge might be seriously scrutinized by the Department of Homeland Security!
Oh, wait, you meant burglars... never mind...
If you search a little harder you'll discover that you don't even need the original key. With a file, two blanks and a half hour (or less) you can make a key to any lock.
(Except things like Medeco of course, but that's a different story anyway. Though I did once know a guy who could pick most Medeco locks by hand in about half a day!)
the following is quoted verbatim:
Our adaptive oracle attack is only effective against locks that have a single shear line used by both master and change keys. Although this is the case with the majority of mastered locks, there are commercially available designs that do not have this property. Locks with a separate master ring, for example, require that all pin stacks be aligned to the same one of two distinct master or change shear lines, and therefore do not provide feedback about the master bitting of a pin given the change bittings of the other pins. (Master ring locks, however, are actually more vulnerable to reverse engineering from lock disassembly by an attacker without access to the change key).
This attack assumes that the attacker has access to a modest supply of blank keys for the system. Whether this is a practical assumption depends on the particular system, of course, and some "restricted keyway" lock products may make it more difficult for the attacker to obtain blanks from commercial sources. However, blanks for many so-called restricted systems are in fact readily available from aftermarket vendors. Even when an exact blank is not commercially available, often a different blank can be milled down to fit. Unusual key designs, such as those employing a sidebar cut, may be more difficult to procure directly or modify from commercial sources, but blanks can still usually be fabricated in small quantities relatively easily by casting (especially since the attacker already possesses a working change key cut on the correct blank).
In medium-scale master systems, it may be possible to limit the information contained in any given lock, at the expense of somewhat increased vulnerability to cross keying and picking. In standard master schemes, each pin stack is cut only at the master and change depths. The attacker exploits the fact that any working depths not corresponding to the change key must be on the master. A natural way to frustrate the attack, therefore, is to add "false" cuts to some pin stacks that do not correspond to the master and that do not appear in the majority of other locks in the system. If one "extra" cut is added to each pin stack, the attacker will learn 2P different possible master keys from one lock, only one of which will correspond to the "true" TMK bitting. These extra cuts must be selected very carefully, however, since each such cut reduces the number of unique differs available in the system. Effectively, the extra cuts create new subclasses of sub-master keys among locks that share the same false cuts, which the attacker must eliminate before learning the true high-level master key.
Some drink at the fountain of knowledge. Others just gargle.
And specifically read section 9.10 about Master Keys. This stuff is pretty old and well circulated. The entire guide makes for a great read if you're bored. If you're interested in mind teasers, puzzles, and such, you'll appreciate what the guide talks about, even if you never attempt to pick a lock.
~Chris
We used this technique to figure out the grand master key for our school. That was in 1977... The school keys employed a registered blank but we managed to fabricate acceptable keys out of sheet metal.
A tougher problem was creating what's called a conrol key. This key is used to remove the guts of the lock (called the core) from the cylinder. The way this works is that the pins line up at a different level inside the lock, causing a separate sheath to turn and disengage the core from the cylinder.
Of course we had to have a control key. But it is nearly impossible to pick the lock at the control level since there is no way to put pressure on the inner sheath. (Some systems have grooved sheaths you can torque on with a special tool, but not this one. And of course there's no such thing as an individual control key.
Since the control key level shared some (but not all) pin breaks with the master key it is theoretically possible to use the master to reduce the number of possible control keys. But we were never able to work it out. Eventually we found an abandoned door with a lock still on it and drilled it. That gave us our control key.
If they stored your info the page is free to load.
Its true, its illegal to possess anything that might be useful to a terrorist.
Key blanks and files? Pah, you could be busted for an A-Z
In the free world the media isn't government run; the government is media run.
I've known this method since I was a little kid. It's described in a book called _The Great Brain at the Academy_.
If you have a key which is part of a master system, you have access to the lock. You could disassemble your OWN lock to find the keying pattern for the master key by measuring the extra pin segments in your lock.... (Second post to this article, but just thought of that)
That's why the newer models have code chips embedded in the plastic handle. A plain copy may work in the door (in fact, my dealer even gave me a plastic "wallet" key in case I lock myself out someday) but it won't turn over the ignition.
Chips can have many more combinations that those allowed by even 7 tumblers, and the complexity can't be reduced if the number of bits is high and the generation algorithm is robust.
I have a small key (not sure where it came from) that opens about 50% of cheap padlocks. I think my landlady was surprised to find a 5 pound note locked in the gas meter box one day...I really needed the 50p pieces for the pool table, you see.
When I am king, you will be first against the wall.
Oddly enought I can't believe someone has not made the connection here between this paper and the Sklraov ilk of cases. I guess the only difference is that this is "Analog" rather than "Digital" and there's no Analog Millenium Copyright Act law.
Analogy: This guy writes a paper (software) that shows a way of unlocking any lock in a building (defeatiing the security measures.)
So just because it's an analog way of defeating an "analog" security system, this guy is in no was able to be prosecuted (at least the article dosen't mention it).
Yet another reason that the DMCA is really stupid and sucky (nice technical terms huh!) piece of legislation.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
--Mike--